Is nothing sacred?

Non-knitting content post today, readers, but important for fiber folks to read especially if you’re not a techie. I learned this afternoon that Ravelry, our very popular knitting/crocheting/weaving/fiber-ing website, got hacked recently. Ravelry user names and encrypted passwords were stolen. Even though passwords were encrypted, Casey (Ravelry’s code monkey) recommends you change your Ravelry password as soon as possible. I have changed mine. My old password was and my new password is Ravelry-specific; I don’t use them anywhere else.

I am grateful that Casey announced this soon afterward and was open about what happened. Some of the companies that were recently in the news delayed their announcement(s) or were not so open, making their and consumers’ problems even worse than they already were.

Lots of Ravelers in the forums are asking why anyone would want to hack a knitting site specifically. To learn about our yarn preferences? To put himself or herself in danger of being attacked by a million users armed with pointy sticks? Lots of theories are proposed; however, from what I’m reading some folks don’t seem to understand that it’s unlikely the data thief is after our knitting content. Thieves typically look for something juicy to steal, something that can generate financial gain.

It’s most likely the thief got user names and encrypted passwords and that’s where this ends. We’re relatively safe. It’s also a little possible the thief can unencrypt those passwords or stole more than what Ravelry’s Power That Be have yet detected (I’m definitely not accusing anyone of anything here, just saying it’s something to consider). Assuming the thief is able to unencrypt the passwords, he or she now has a known working user name and password combination that you may have used in another area of your online life. Our Ravelry accounts also have the potential to contain information that can readily allow someone with bad intent to really mess up your life, were someone else to log on there as you:

Fortunately for us Ravelers, Ravelry doesn’t store financial information; a hacker couldn’t get your credit card number from Ravelry. However, if you’ve used your Ravelry user name and password combination on any other site (your bank or PayPal or Amazon, perhaps?) and if this thief has it, he or she has a means of obtaining access to those and having a field day. Those things I listed above? People commonly use family members’ names or favorite things to create their passwords so you may have some easy-to-guess passwords. If you use the same password for your email account or your blog or your business that you’ve listed in “About me,” change those passwords too. Obviously, any fellow Raveler has access to all our profile information and we should use a little discretion in what we put there. I like to think I can trust all Yarn People but I know that’s an unrealistic assumption.

The other big potential problem I see is that the thief who took this data knows we’re all Yarn People and if he or she got our email addresses (or can guess them — is your email address your Ravelry user name followed by @yahoo or @gmail?), can now send targeted email. Possibilities:

– a malware link disguised as an enticing cashmere promotion
– a spearphishing (targeted phishing) message saying your account at Ravelry or Favorite Local Yarn Store or PayPal is suspended, “click here now to verify your account”
– a message from a fellow Raveler saying “I’m on vacation and my wallet got stolen, I need help so click this link to send me money”

So… be careful out there. Don’t use the same user names and passwords for everything. If you have, go change some of them, especially financial ones. Be cautious what you click on in an email even if the source looks like it’s from a friend or reputable vendor. If the email is something financial (esp. from a bank or credit card company), don’t click on any links in the email. Open a browser window, browse to the bank’s web site, then log in and look for any messages. All that stuff is spoofed so easily that it’s better to be safe than sorry.

And the last thing we want is for someone to get our yarn money.

One more thing: anything that pops up that says “your computer is infected!” and it’s not from the anti-virus and -malware software you installed on your computer and pay an annual subscription fee for, don’t click on it, not even to close it. Restart your computer, launch your anti-virus software, and run a complete scan.

My apologies for long-windedness. Information theft is something I feel strongly about, too many people I know have fallen prey to one or more of these, and data thieves and malware writers should be locked up in windowless cells without a computer.